Secret Server supports using any type of soft token or mobile application authentication using the Time-Based One-Time Password (TOTP) RFC6238 algorithm. TOTPs are typically generated and authenticated by a mobile application using an algorithm that incorporates the current time to ensure that each one-time password (OTP) is unique. TOTP applications include Authy, Google Authenticator, and Microsoft Authenticator.

Secret Server can also serve as an OTP generator, providing TOTP authentication for RPC and launchers. The soft token two-factor function in Secret Server is the "TOTP Authenticator" and you can use any application that uses the TOTP RFC6238 standard (details on the standard can be found at the IETF Tools website. An example of a TOTP application that works with Secret Server soft token two-factor authentication is Microsoft Authenticator.

The same 32-character key can generate different TOTP outputs based on the hashing algorithm used (SHA1, SHA256, or SHA512). It is essential to configure the Secret Server template to use the same hashing algorithm as the external system providing the key. This ensures that the generated TOTP codes are accurate and can be successfully authenticated.